America needs to treat ‘the cloud’ as critical infrastructure

When it comes to cybersecurity and Communist China, Microsoft needs to get its act together — and so does the American government.

When an independent board of experts tells a company — which boasts to its customers about the security its products offers — that its corporate culture in fact deprioritizes cybersecurity, it might be time for some self-reflection. When that company plays a dominant role providing essential technology services to the U.S. government, critical infrastructure, tens of thousands of companies and tens of millions of Americans, the federal government also needs to self-reflect.

This month, the Cyber Safety Review Board (CSRB) released a damning report on Microsoft’s cybersecurity failings, following revelations last summer that China’s hackers leveraged compromised Microsoft systems to access the email accounts of senior American officials. The report does not mince words: This cyberattack was “preventable,” and “should never have happened,” and was the result of a “cascade of security failures at Microsoft.”

Modeled on the National Transportation Safety Board, although with a narrower scope, the CSRB is a new initiative to investigate significant cybersecurity incidents. It provides recommendations to improve national cyber resilience based on its findings. Housed within the Department of Homeland Security, the CSRB is made up of government officials and experts from the private sector. Assessing how nation-state hackers can compromise America’s largest companies is one of the main reasons the Biden administration created the review board.

That Microsoft is a target of nation-state attacks is no surprise. Greater efficiencies and reduced costs have led to heavier reliance on geographically distributed data centers — that is, “the cloud.” Microsoft dominates the cloud service market, providing services to federal and state governments, corporate America and much of America’s critical national infrastructure. As the CSRB observed, “Microsoft’s ubiquitous and critical products ... underpin essential services that support national security, the foundations of our economy, and public health and safety.”

Hacking Microsoft’s cloud environment is the espionage equivalent of striking gold, the report vividly explained, and both nations and criminals are the “Forty-Niners” of this 21st-century gold rush.

What is shocking, disturbing and unacceptable is that Microsoft is significantly failing in both its security architecture and implementation of basic security procedures, as the report makes amply clear. The dependence of U.S. national security, economic prosperity and public health and safety on cloud service providers should require these companies to “demonstrate the highest standards of security, accountability, and transparency.” But the CSRB concluded that even as other cloud service providers were maintaining security controls, Microsoft was not.

This failure was exacerbated by Microsoft’s aggressive approach to reducing competition for its services by ensuring customers buy few or no other security services outside its product suite. This “monoculture” approach helps Microsoft’s bottom line but does not ensure its customers — even critical ones like the Department of Defense — are running the most effective security programs possible.

Microsoft’s cut-throat approach is a national security risk the United States cannot abide.

There is a solution to this challenge. Cloud service providers are, as the report notes, one of the “most important critical infrastructure industries” — yet, until now, the Biden administration, like its predecessors, has failed to treat them as such.

The administration is undertaking a review of the decade-old policy document that outlines which industries are considered critical infrastructure and how the federal government interacts with those sectors. The resulting update should state clearly and unambiguously that cloud services are a stand-alone critical infrastructure. Recognizing the cloud computing industry as critical infrastructure will ensure that a federal agency is assigned as the sector risk management agency to work to mitigate threats and establish cybersecurity standards nationally.

While designating the cloud as critical infrastructure and creating national cybersecurity standards for providers would be the most important step to come out of the CSRB’s report, there is still another Microsoft-sized elephant in the room.

The report leaves unaddressed Microsoft’s continued research and development and engineering work in the People’s Republic of China. While other tech companies have pulled out of the country, Microsoft has expanded collaboration with Beijing. The company has assured the public that it is a good corporate citizen and not complicit in China’s censorship, despite evidence that it is. And Microsoft dismisses concerns that this ongoing business relationship poses risks to U.S. national security. But after reading the CSRB report, no one can reasonably trust Microsoft’s ability to assess its own security risks.

Presidents Biden and Xi had a “candid and constructive” phone call earlier this month in which Biden warned his Chinese counterpart that the United States will “take necessary actions to prevent advanced U.S. technologies from being used to undermine our national security.”

It might be time for President Biden to have that conversation with Microsoft’s leadership as well.

Rear Adm. (Ret.) Mark Montgomery is a senior fellow and senior director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies. He served as executive director of the congressionally mandated Cyberspace Solarium Commission.